How new research aims to protect our privacy on IPv6 networks

IPv6: It's new, and because of that, likely to have security issues. Find out why lack of privacy doesn't have to be one of them.

Are you ready? IPv6 Day is just around the corner on June 8, 2011:

"Google, Facebook, Yahoo!, Akamai, and Limelight Networks will be some of the organizations offering their content over IPv6 for a 24-hour ‘test flight'."

The website explains:

"The goal is to motivate organizations-Internet-service providers, hardware makers, operating-system vendors and web companies-to prepare their services for IPv6, ensuring a successful transition as IPv4 addresses run out."

I use Gmail as an aggregator, so I'm more than a little interested in how June 8th turns out. Why? Once you get past the rhetoric, IPv6 Day is all about finding out what breaks.

IPv6 can't shake security issues

During the past four years, I have written a lot about IPv6. I even gathered up enough courage to record several podcasts with Joe Klein, a noted authority on IPv6. That effort cemented something for me. IPv6 is more complex than I imagined -- something security geeks do not like to hear.

IPv6 addresses many security lapses that surfaced using IPv4. But, IPv6 also introduces new security concerns. One that comes up often is how all networked devices will have routable IP address using IPv6, thus exposing them to the vagaries of the Internet.

Visibility lessens privacy

With every device accessible via the Internet, it becomes easier to track individuals by their address. This is not lost on a group of Virginia Tech researchers, who in an earlier paper determined:

"Autoconfigured addresses, the default addressing system in IPv6, provide a third party a means to track and monitor targeted users globally using simple tools such as ping and trace route. Signed messages also expose the identities of both the sender and receiver to a third party."

The research team didn't care much for that, particularly when the default addressing scheme used by IPv6 exposes the device's MAC address to the Internet world. So they devised a deterrent called Moving Target IPv6 Defense (MT6D), which provides:

"A means for hosts to communicate with each other over the public Internet while maintaining complete anonymity from targeting, tracking and traffic correlation."

This is a big deal. The research team of Stephen Groat, Matthew Dunlop, William Urbanski, Randolph Marchany, and Joseph Tront has a patent pending for their work, and took third-place honors at the 2011 National Security Innovation Competition.

It seems to me the team has overcome the privacy issue. But, knowing just enough about IPv4 and IPv6 to be dangerous, I felt it best to ask the researchers to explain what they accomplished.

Kassner: The research paper mentions privacy implications arise when using stateless address auto-configuration in IPv6. Could you explain what stateless address auto-configuration is and why it impacts privacy? Research team: Stateless Address Autoconfiguration (SLAAC) is a method IPv6 hosts use to self-configure addresses. Having hosts configure their own addresses reduces the management burden placed on network administrators. This is a change from IPv4 where hosts were issued addresses from a DHCP server.

The problem with SLAAC is that host addresses or interface identifiers (IIDs) stay the same regardless of the subnet they connect to. The default addressing scheme, referred to as the 64-bit extended unique identifier (EUI-64), uses the MAC address as the IID. The result is that an attacker, armed with a list of subnets and a host's MAC address, can track and attack the host from anywhere in the world.

Kassner: I have read that newer versions of Microsoft operating systems use privacy extensions to conceal the MAC address portion. Isn't that sufficient? Research team: Privacy extensions are an improvement, but they only protect the client from attack and leave the server vulnerable. Since privacy extensions do not change often enough to prevent network attacks, they are not effective for globally available systems that require static addressing to ensure connectivity, like web servers or VPN endpoints.

These systems are still easy to target for attack. Also, privacy extensions are primarily implemented for web traffic communications. Other technologies, such as VoIP and VPNs, cannot function with privacy extensions.

The privacy extensions used by the Windows OS also rely on another IPv6 address that is used in neighbor discovery, local DNS, and other functions. This address is static and is reachable by other hosts. An attacker that observes this address can use it to attack a target machine.

Kassner: The research team's answer for increased privacy and security is MT6D, a system whereby the sender's address and the receiver's address are dynamically changed. What does this accomplish? Research team: Dynamically rotating addresses preserves the privacy, anonymity, and security of communicating hosts. Our technique is analogous to frequency hopping. An attacker observing network traffic sees multiple unique host pairs communicating on the network when really the same two hosts are communicating.

The attacker has no information as to the actual identities of either communicating host nor can the attacker easily target a specific address for attack.

Kassner: MT6D also encrypts the message traffic. Does that mean IPsec would no longer be required? Research team: MT6D can be seen as an enhancement to IPsec. IPsec is able to encrypt network traffic but requires static addresses. If IPsec is deployed at a host or gateway, an attacker can prevent communication by launching a denial of service attack against the host or gateway.

MT6D provides network-layer encryption and also dynamically obscures addresses. An attacker cannot eavesdrop on MT6D-encapsulated network traffic, just as in IPsec, and the attacker cannot find a static target to launch a denial of service attack against.

Kassner: Your report points out:

"A key feature of MT6D is that address changes can be made mid-session between two hosts without causing connection reestablishment or breakdown."

This is unique, isn't it? Are you altering the 3-way TCP handshake? Research team: MT6D creates a tunnel that encapsulates all traffic and does not modify the TCP 3-way handshake. Tunneling limits the overhead of TCP sessions by treating all layer-4 protocols equally. Address rotation occurs mid-session without disturbing existing sessions or causing additional 3-way handshakes. Kassner: The paper made mention that MT6D is designed to thwart certain network attacks. Which ones? Is that because dynamic addresses are used? Research team: MT6D can prevent many targeted network attacks (e.g. denial of service) and application-layer exploits as well. It does this by dynamically obscuring the target host's address. Since the size of the IPv6 network is so vast, it is statistically infeasible for an attacker to locate a host by scanning.

Even if an attacker attacks a host address learned through sniffing, the duration of the attack is at most the time between address rotations.

Kassner: The paper also mentions that Virginia Tech is the perfect place to test IPv6 applications. Why is that? Research team: Virginia Tech is one of the few places in the country that has a full-production IPv6 network. In fact, it is the largest campus IPv6 deployment in the US, supporting over 30,000 nodes. The production network allows us to test MT6D in a production environment. Kassner: I read that MT6D could be applied to IPv4 networks. Does it make sense to do that? Or would it make more sense to convert the networks to IPv6 first? Research team: Although the MT6D concept would work on an IPv4 network, there are two issues. First, IPv4 subnets are so small that an attacker can exhaustively scan a typical subnet in a matter of minutes. This makes locating targets much easier. Second, IPv4 does not have enough available addresses for addresses to rotate without having address collisions.

IPv6 subnets are 64 bits, meaning that the entire IPv4 address space can fit into a single IPv6 subnet over 4 billion times. Exhaustively scanning a network of this size is currently infeasible.

Also, due to the large IPv6 address space, the probability of address collisions is extremely small. Therefore, it makes the most sense to apply MT6D to IPv6 deployments.

Final thoughts

It appears that MT6D is well positioned to protect user privacy and eliminate several attack vectors despite our computers being directly connected to the Internet.